Seventh National HIPAA Summit

HIPAA Compliance Case Study:

HIPAA and Academic Medicine - Lessons Learned Past, Present and Future

Marti ArvinUniversity of Louisville

Privacy Officer

Phone: 502-852-3803Fax: 502-852-3855

Email: marti.arvin@louisville.edu

3

Past, Present, and Future

BACKGROUNDTwo different institutional approachesTwo different implementation models

LESSONS LEARNEDFUTURE STRATEGIES

4

BACKGROUND

DIFFERENT COVERED ENTITY SETTINGSUniversity of Pittsburgh Medical CenterUniversity of Louisville

DIFFERENT IMPLEMENTATION MODELSUPMC ModelU of L Model

5

University of Pittsburgh Medical Center

Single covered entity for Medical Center20 + hospitals2 large physician practicesSeveral smaller physician practicesHome healthLong term careAffiliation with, but separate from the

University

6

University of Louisville

Hybrid Covered EntitySchool of Medicine

Faculty PracticesUniversity Contracted Clinics

School of DentistrySchool of Nursing

7

University of Louisville

Department of PsychologyOther Miscellaneous Clinical SettingsGroup Health PlanFour Hospitals as primary affiliates

8

Implementation Models

UPMC model Started January 2002Created and filled position of Director of

HIPAA program officeCreated HIPAA workgroups based on

segments of the regulation

9

UPMC Implementation Model

Drafted singled notice to be used by all business units in the Medical Center

Drafted system level general policies Allowed business units to draft policies

and procedures specific to the business unit

10

UPMC Implementation Model

Examples of business unit specific policiesDistribution of Notice and recording

acknowledgementHospitalPhysician Offices

Accounting for DisclosuresHospital (paper based)Physician Offices (web enabled tracking tool)

11

UofL Implementation Model

Started Jan-Feb 2003Separate organized efforts in various

schools and programsMeeting at least minimal requirements by

April 14, 2003Created the position & hired me as

university privacy officer June 2003

12

UofL Implementation Model

Different groups based on area of focusResearchPhysician PracticesAffiliated HospitalsDental School

13

LESSONS LEARNED

People tend to think in their own frame of reference

While late is still better than never – late is problematic

Central function is often better than decentralized

Any legal document needs legal review

14

LESSONS LEARNED

Customer service is criticalA little knowledge is dangerousUse your PR staffUnlike Y2K, we are not done with HIPAANo one is perfect

15

People think in their own frame of reference

Examples:The notice

Notices drafted with references to specific type of business unit

Solutions any reference to hospital was changed to “hospital or

facility” Any reference to medical records department was

changed to “doctor or place where you received care”

16

While late is still better than never – late is problematicA late start in preparing for HIPAA is

better than no start at allProblems with late starts

Everything is done in a panicNo chance to scrutinize

Advantage of late startLearn from others

17

Central function is often better than decentralized

Centralized function allows forBetter controlsConsistent answers to questionsObtain economy of scale

Decreases burden on individual business units

Must be a coordinated effort

18

Any legal document needs legal review

A little thing can make a big difference Legal review after wordsmithing

A single word can change the meaning Notice language

Acknowledgment states patient has read notice States patient has the right to amend their PHI

Business Associate Agreement Indemnification clause that is not legally binding on state

entity Authorization

Does not include the required elements Does not include state law issues

19

Customer service is critical

Good customer service can eliminate many issuesPatients want to opt out of fundraisingPatients do not want their information used

or disclosed a certain wayPatients think their rights have been violated

20

A little knowledge is dangerous

Employees can go overboard on HIPAATo get PHI, promise your first born child

Individuals mix up various sections of HIPAA

Educate, Educate, Educate

21

Use your PR staff

Notice plain language requirementUser friendly documentsNothing in HIPAA prevents a little PR in

your documents

22

Unlike Y2K, we are not done with HIPAA

April 14, 2003 has come and gone, so we’re done

TCS remainsSecurity remainsHIPAA’s ongoing compliance issues

remain

23

No one is perfect

Accept the fact that there will be mistakes

Don’t beat yourself upDon’t beat others up

24

FUTURE STRATEGIES

Coordinate with components of HCE for TCS

Be better prepared for SecurityContinue development of a HIPAA

compliance program

25

QUESTIONS